[128072] in cryptography@c2.net mail archive
Re: Kaminsky finds DNS exploit
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Jul 14 09:22:45 2008
From: Florian Weimer <fw@deneb.enyo.de>
To: cryptography@metzdowd.com
Date: Sun, 13 Jul 2008 20:50:37 +0200
In-Reply-To: <20080709172232.GA14326@randombit.net> (Jack Lloyd's message of
"Wed, 9 Jul 2008 13:22:32 -0400")
* Jack Lloyd:
> Perhaps there is something subtle here that is more dangerous than the
> well known problems, and all these source port randomization and
> transaction id randomization fixes are just a smokescreen of sorts for
> a fix for something Dan found.
It's not a smokescreen, it's a statistical workaround.
CERT/CC mentions this:
| It is important to note that without changes to the DNS protocol, such
| as those that the DNS Security Extensions (DNSSEC) introduce, these
| mitigations cannot completely prevent cache poisoning.
<http://www.kb.cert.org/vuls/id/800113>
> A statement from the MaraDNS author [3]:
>
> """
> MaraDNS is immune to the new cache poisoning attack.
I think the CERT/CC statement is more approriate.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
